Feed aggregator

Steve Kemp: I've been moving and updating websites.

Planet Debian - Fri, 08/07/2016 - 05:30

I've spent the past days updating several of my websites to be "responsive". Mostly that means I open the site in firefox then press Ctrl-alt-m to switch to mobile-view. Once I have the mobile-view I then fix the site to look good in small small space.

Because my general design skills are poor I've been fixing most sites by moving to bootstrap, and ensuring that I don't use headers/footers that are fixed-position.

Beyond the fixes to appearances I've also started rationalizing the domains, migrating content across to new homes. I've got a provisional theme setup at steve.fi, and I've moved my blog over there too.

The plan for blog-migration went well:

  • Setup a redirect to from https://blog.steve.org.uk to https://blog.steve.fi/
  • Replace the old feed with a CGI script which outputs one post a day, telling visitors to update their feed.
    • This just generates one post, but the UUID of the post has the current date in it. That means it will always be fresh, and always be visible.
  • Updated the template/layout on the new site to use bootstrap.

The plan was originally to setup a HTTP-redirect, but I realized that this would mean I'd need to keep the redirect in-place forever, as visitors would have no incentive to fix their links, or update their feeds.

By adding the fake-RSS-feed, pointing to the new location, I am able to assume that eventually people will update, and I can drop the dns record for blog.steve.org.uk entirely - Already google seems to have updated its spidering and searching shows the new domain already.

Categories: Elsewhere

Appnovation Technologies: Drupal 8 and the User Experience Upgrade

Planet Drupal - Fri, 08/07/2016 - 02:27

Drupal and user experience can sometimes be at odds.

Categories: Elsewhere

Lior Kaplan: First uses of the PHP 5.4 security backports

Planet Debian - Fri, 08/07/2016 - 02:07

I recently checked the Debian PHP 5.4 changelog and found out this message (5.4.45-0+deb7u3 and 5.4.45-0+deb7u4):

* most patches taken from https://github.com/kaplanlior/php-src
Thanks a lot to Lior Kaplan for providing them.

I was very pleased to see my work being used, and I hope this would save other time while providing PHP long term support.

Also, while others do similar work (e.g. Remi from RedHat), it seems I’m the only when that make this over GIT and with full references (e.g. commit info, CVE info and bug number).

Comments and suggestions are always welcome… either mail or even better – a pull request.

Filed under: Debian GNU/Linux, PHP
Categories: Elsewhere

Matthew Garrett: Bluetooth LED bulbs

Planet Debian - Fri, 08/07/2016 - 00:38
The best known smart bulb setups (such as the Philips Hue and the Belkin Wemo) are based on Zigbee, a low-energy, low-bandwidth protocol that operates on various unlicensed radio bands. The problem with Zigbee is that basically no home routers or mobile devices have a Zigbee radio, so to communicate with them you need an additional device (usually called a hub or bridge) that can speak Zigbee and also hook up to your existing home network. Requests are sent to the hub (either directly if you're on the same network, or via some external control server if you're on a different network) and it sends appropriate Zigbee commands to the bulbs.

But requiring an additional device adds some expense. People have attempted to solve this in a couple of ways. The first is building direct network connectivity into the bulbs, in the form of adding an 802.11 controller. Go through some sort of setup process[1], the bulb joins your network and you can communicate with it happily. Unfortunately adding wifi costs more than adding Zigbee, both in terms of money and power - wifi bulbs consume noticeably more power when "off" than Zigbee ones.

There's a middle ground. There's a large number of bulbs available from Amazon advertising themselves as Bluetooth, which is true but slightly misleading. They're actually implementing Bluetooth Low Energy, which is part of the Bluetooth 4.0 spec. Implementing this requires both OS and hardware support, so older systems are unable to communicate. Android 4.3 devices tend to have all the necessary features, and modern desktop Linux is also fine as long as you have a Bluetooth 4.0 controller.

Bluetooth is intended as a low power communications protocol. Bluetooth Low Energy (or BLE) is even lower than that, running in a similar power range to Zigbee. Most semi-modern phones can speak it, so it seems like a pretty good choice. Obviously you lose the ability to access the device remotely, but given the track record on this sort of thing that's arguably a benefit. There's a couple of other downsides - the range is worse than Zigbee (but probably still acceptable for any reasonably sized house or apartment), and only one device can be connected to a given BLE server at any one time. That means that if you have the control app open while you're near a bulb, nobody else can control that bulb until you disconnect.

The quality of the bulbs varies a great deal. Some of them are pure RGB bulbs and incapable of producing a convincing white at a reasonable intensity[2]. Some have additional white LEDs but don't support running them at the same time as the colour LEDs, so you have the choice between colour or a fixed (and usually more intense) white. Some allow running the white LEDs at the same time as the RGB ones, which means you can vary the colour temperature of the "white" output.

But while the quality of the bulbs varies, the quality of the apps doesn't really. They're typically all dreadful, competing on features like changing bulb colour in time to music rather than on providing a pleasant user experience. And the whole "Only one person can control the lights at a time" thing doesn't really work so well if you actually live with anyone else. I was dissatisfied.

I'd met Mike Ryan at Kiwicon a couple of years back after watching him demonstrate hacking a BLE skateboard. He offered a couple of good hints for reverse engineering these devices, the first being that Android already does almost everything you need. Hidden in the developer settings is an option marked "Enable Bluetooth HCI snoop log". Turn that on and all Bluetooth traffic (including BLE) is dumped into /sdcard/btsnoop_hci.log. Turn that on, start the app, make some changes, retrieve the file and check it out using Wireshark. Easy.

Conveniently, BLE is very straightforward when it comes to network protocol. The only thing you have is GATT, the Generic Attribute Protocol. Using this you can read and write multiple characteristics. Each packet is limited to a maximum of 20 bytes. Most implementations use a single characteristic for light control, so it's then just a matter of staring at the dumped packets until something jumps out at you. A pretty typical implementation is something like:


where r, g and b are each just a single byte representing the corresponding red, green or blue intensity. 0x56 presumably indicates a "Set the light to these values" command, 0xaa indicates end of command and 0xf0 indicates that it's a request to set the colour LEDs. Sending 0x0f instead results in the previous byte (0x00 in this example) being interpreted as the intensity of the white LEDs. Unfortunately the bulb I tested that speaks this protocol didn't allow you to drive the white LEDs at the same time as anything else - setting the selection byte to 0xff didn't result in both sets of intensities being interpreted at once. Boo.

You can test this out fairly easily using the gatttool app. Run hcitool lescan to look for the device (remember that it won't show up if anything else is connected to it at the time), then do gatttool -b deviceid -I to get an interactive shell. Type connect to initiate a connection, and once connected send commands by doing char-write-cmd handle value using the handle obtained from your hci dump.

I did this successfully for various bulbs, but annoyingly hit a problem with one from Tikteck. The leading byte of each packet was clearly a counter, but the rest of the packet appeared to be garbage. For reasons best known to themselves, they've implemented application-level encryption on top of BLE. This was a shame, because they were easily the best of the bulbs I'd used - the white LEDs work in conjunction with the colour ones once you're sufficiently close to white, giving you good intensity and letting you modify the colour temperature. That gave me incentive, but figuring out the protocol took quite some time. Earlier this week, I finally cracked it. I've put a Python implementation on Github. The idea is to tie it into Ulfire running on a central machine with a Bluetooth controller, making it possible for me to control the lights from multiple different apps simultaneously and also integrating with my Echo.

I'd write something about the encryption, but I honestly don't know. Large parts of this make no sense to me whatsoever. I haven't even had any gin in the past two weeks. If anybody can explain how anything that's being done there makes any sense at all[3] that would be appreciated.

[1] typically via the bulb pretending to be an access point, but also these days through a terrifying hack involving spewing UDP multicast packets of varying lengths in order to broadcast the password to associated but unauthenticated devices and good god the future is terrifying

[2] For a given power input, blue LEDs produce more light than other colours. To get white with RGB LEDs you either need to have more red and green LEDs than blue ones (which costs more), or you need to reduce the intensity of the blue ones (which means your headline intensity is lower). Neither is appealing, so most of these bulbs will just give you a blue "white" if you ask for full red, green and blue

[3] Especially the bit where we calculate something from the username and password and then encrypt that using some random numbers as the key, then send 50% of the random numbers and 50% of the encrypted output to the device, because I can't even

Categories: Elsewhere

Drupal Blog: Drupal 7.50 released

Planet Drupal - Thu, 07/07/2016 - 20:28

Drupal 7.50, the next release in the Drupal 7 series, is now available for download. It contains a variety of new features, improvements, and bug fixes (no security fixes).

Wait... Drupal 7.50?

Yes, there is a version jump compared to the previous 7.44 release; this is to indicate that this Drupal 7 point release is a bit larger than past ones and makes a few more changes and new features available than normal.

Updating your existing Drupal 7 sites is recommended. Backwards compatibility is still being maintained, although read on to find out about a couple of changes that might need your attention during the update.

Download Drupal 7.50 Notable changes

There are a variety of new features, performance improvements, security-related enhancements (although no fixes for direct security vulnerabilities) and other notable changes in this release. The release notes provide a comprehensive list, but here are some highlights.

New "administer fields" permission added for trusted users

The administrative interface for adding and configuring fields has always been something that only trusted users should have access to. To make that easier, there is now a dedicated permission which is required (in addition to other existing administrative permissions) to be able to access the field UI.

For example, you can now assign the "administer taxonomy" permission (but withhold the new "administer fields" permission) to allow low-level administrators to manage taxonomy terms but not change the field structure. Read the change record for more information.

Protection against clickjacking enabled by default

Clickjacking is a technique a malicious site owner can use to attempt attacks on other sites, by embedding the victim's site into an iframe on their own site.

To stop this, Drupal will now prevent your site from being embedded in an iframe on another domain. This is the default behavior, but it can be adjusted if necessary; see the change record to find out more.

Support for full UTF-8 (emojis, Asian symbols, mathematical symbols) is now possible on MySQL

If content creators on your site have been clamoring to use emojis, it's now possible on Drupal sites running MySQL (it was previously possible on PostgreSQL and SQLite). Turning this capability on requires the database to meet certain requirements, plus editing the site's settings.php file and potentially other steps, as described in the change record.

Improved support for recent PHP versions, including PHP 7

Drupal core's automated test suite is now fully passing on a variety of environments where there were previously some failures (PHP 5.4, 5.5, 5.6, and 7). We have also fixed several bugs affecting those versions. These PHP versions are officially supported by Drupal 7 and recommended for use where possible.

Because PHP 7 is the newest release (and not yet used on many production sites) extra care should still be taken with it, and there are some known bugs, especially in contributed modules (see the discussion for more details). However anecdotal evidence from a variety of users suggests that Drupal 7 can be successfully used on PHP 7, both before and after the 7.50 release.

Improved performance (and new PHP warnings) when Drupal is trying to find a file that does not exist

When Drupal cannot find a file that it expects to be in the filesystem, it will no longer continually search for it on a large number of page requests (previously, this could significantly hurt your site's performance). Instead, it will record a PHP warning about the problem.

Read the change record for more information, and make sure your production site is not configured to show warning messages like this on the screen, since it is not desirable for site visitors to see them. (In order to configure this, go to "Administration" → "Configuration" → "Development" → "Logging and errors" and set the "Error messages to display" option to "None".)

Improvements to help search engines index your site's images/CSS/JavaScript

Modern search engine web crawlers read images, CSS and JavaScript (just like a regular web browser) when crawling a site, and they use this information to improve search results.

Drupal's default robots.txt file now includes rules to allow search engines to access more of these files than it previously allowed them to, which may help certain search engines better index your site. See the change record for additional details.

More information
  • You can find the full list of changes between the previous 7.44 release and the current 7.50 release by reading the 7.50 release notes.
  • Also see the release notes for additional update information and known issues discovered after the release.
  • You can find a complete list of all changes in the stable 7.x branch in the git commit log.
  • Translators should be aware of a few administrative-facing translatable string changes and additions in this release.
Security information Future releases
  • Drupal 7 is being actively maintained, so more maintenance releases will be made available, according to our monthly release cycle.
  • We will consider continuing to do larger Drupal 7 releases like this one every six months or so (where the next larger release will be 7.60, in keeping with Drupal's new release cycle) if there is interest and continued contributions from the community. See the ongoing discussion for further details.
New Drupal 7 co-mainainers

In case you missed the news earlier, we recently added two new Drupal 7 co-maintainers: Fabianx (@fabianfranz) and stefan.r (@stefan_arrr)! Despite only having been official maintainers for the past two weeks, they put in an enormous amount of effort and skill into Drupal 7.50, which was essential in getting it out the door with all the improvements mentioned above.


Overall, 230 people were credited with helping to fix issues included in this release:

akoepke, alanburke, Alan D., alberto56, Albert Volkman, alexmoreno, alexpott, amontero, andypost, ar-jan, arosboro, askibinski, attiks, basvredeling, beejeebus, benjy, Berdir, bmateus, borisson_, botris, bradjones1, brianV, broeker, c960657, Carsten Müller, catch, checker, chintan.vyas, chirhotec, Christian DeLoach, ChristophWeber, chx, cilefen, ciss, ckng, colinmccabe, corbacho, criz, cspitzlay, cwoky, dagmar, DamienMcKenna, damien_vancouver, darol100, Darren Oh, das-peter, Dave Reid, davic, david_garcia, David_Rothstein, dawehner, dcam, DerekL, donutdan4114, droplet, DuaelFr, e._s, eesquibel, eiriksm, Elijah Lynn, emcniece, Eric_A, EvanSchisler, ExTexan, Fabianx, felribeiro, fgm, fietserwin, forestgardener, gcardinal, geerlingguy, gielfeldt, Girish-jerk, greggles, GrigoriuNicolae, Gábor Hojtsy, hass, Henrik Opel, heyyo, hgoto, hussainweb, idebr, ifrik, imanol.eguskiza, IRuslan, izaaksom, jackbravo, jacob.embree, jbekker, jbeuckm, jduhls, jenlampton, jeroen.b, jhodgdon, jibran, joachim, joegraduate, joelpittet, johnpicozzi, joseph.olstad, joshtaylor, Josh Waihi, jp.stacey, jsacksick, jthorson, JvE, jweowu, kala4ek, Kars-T, Ken Ficara, kenorb, kevinquillen, Kgaut, KhaledBlah, klausi, klokie, kristiaanvandeneynde, kristofferwiklund, ksenzee, k_zoltan, leschekfm, Liam Morland, lOggOl, lokapujya, Lowell, lucastockmann, Lukas von Blarer, maciej.zgadzaj, marcelovani, mariagwyn, Mark Theunissen, marvin_B8, maximpodorov, mayaz17, MegaChriz, mfb, mgifford, micaelamenara, mikeytown2, Mile23, mimran, minax.de, miro_dietiker, mistermoper, Mixologic, mohit_aghera, mondrake, mpv, mr.baileys, MustangGB, Neograph734, nevergone, nicholas.alipaz, nicrodgers, NikitaJain, nithinkolekar, nod_, Noe_, onelittleant, opdavies, orbmantell, oriol_e9g, ParisLiakos, pashupathi nath gajawada, Peacog, Perignon, Peter Bex, peterpoe, pfrenssen, PieterDC, pietmarcus, pjcdawkins, pjonckiere, Polonium, pounard, presleyd, pwaterz, pwolanin, rafaolf, rbmboogie, realityloop, rhclayto, rocketeerbkw, rpayanm, rupertj, Sagar Ramgade, sanduhrs, scor, scottalan, scuba_fly, sdstyles, snehi, soaratul, SocialNicheGuru, Spleshka, stefan.r, stovak, sun, Sutharsan, svanou, Sweetchuck, swentel, sylus, s_leu, tadityar, talhaparacha, tatisilva, tbradbury, therealssj, travelvc, TravisCarden, TravisJohnston, treyhunner, tsphethean, tstoeckler, tucho, tuutti, twistor, TwoD, typhonius, vasi1186, Wim Leers, Xano, xjm, yannickoo, yched, YesCT, zaporylie, Zerdiox, and znerol.

(This list was auto-generated, so apologies if anyone was left out.)

Your name could be on a list like this in the future; see the Ways to get involved page to find out how.

Thank you to everyone who helped with Drupal 7.50!

Categories: Elsewhere

Lior Kaplan: Anonymous CVE requests

Planet Debian - Thu, 07/07/2016 - 19:21

A year ago I’ve blogged about people requesting CVE without letting upstream know. On the other hand, per requests from Debian, I’m working on improving PHP upstream CVE request process. For the last few release this means I ask the security list members which issues they think should have CVE and ask for them in parallel to the release being made (usually in the space between the release being tagged publicly and is actually announced).

In the last week, I’ve encountered a case where a few CVE were assigned to old PHP issues without any public notice. The fixes for these issues have been published a year ago (August 2015). And I find out about these assignment through warning published by the distributions (mostly Debian, which I’m close to).

Sometimes things fall between the chairs, and it’s perfectly OK to ask for CVE to make sure security issues do get attention even if time has passed. But after the issues (and fixes) are public, I don’t see a reason to do so without making the request itself public as well. And even if the request wasn’t public, at least notify upstream so this info can be added to the right places. Most of these bug were found out when I started to add sequential number into the CVE search after getting an a notice from Debian for two of the issues.

  • CVE-2015-8873 for PHP #69793
  • CVE-2015-8874 for PHP #66387
  • CVE-2015-8876 for PHP #70121
  • CVE-2015-8877 for PHP #70064
  • CVE-2015-8878 for PHP #70002
  • CVE-2015-8879 for PHP #69975
  • CVE-2015-8880 for PHP aa8cac57 (Dec 2015)

And while working on processing these issues for PHP, I also notice they weren’t updated for libGD where appropriate (including recent issues).

I hope this blog post will reach the anonymous people behind these CVE requests, and also the people assigning them. Without transparency and keeping things in synchronization, the idea of having a centralized location for security warning is not going to accomplish its goals.

Filed under: Debian GNU/Linux, PHP
Categories: Elsewhere

Michal Čihař: uTidylib 0.3

Planet Debian - Thu, 07/07/2016 - 18:00

Several years ago I've complained about uTidylib not being maintained upstream. Since that time I've occasionally pushed some fixes to my GitHub repository with uTidylib code, but without any clear intentions to take it over.

Time has gone and there was still no progress and I started to consider becoming upstream maintainer as well. I quickly got approval from Cory Dodt, who was the original author of this code, unfortunately he is not owner of the PyPI entry and the claim request seems to have no response (if you know how to get in touch with "cntrlr" or how to take over PyPI module please let me know).

Anyway the amount of patches in my repository is big enough to warrant new release. Additionally Debian bug report about supporting new HTML tidy library came in and that made me push towards releasing 0.3 version of the uTidylib.

As you might guess, the amount of changes against original uTidylib is quite huge, to name the most important ones:

Anyway as I can not update PyPI entry, the downloads are currently available only on my website: https://cihar.com/software/utidylib/

Filed under: Debian English uTidylib | 0 comments

Categories: Elsewhere


Subscribe to jfhovinne aggregator